Fix a visible color profile difference between between images rendered via Core Graphics
and those rendered via a compositing layer, by assigning the GenericRGB profile to
untagged images (which come through as having the DeviceRGB profile) when they are set
as layer contents.

loader/appcache/ApplicationCacheStorage.cpp:
(WebCore::ApplicationCacheStorage::findOrCreateCacheGroup):
(WebCore::ApplicationCacheStorage::cacheGroupForURL):
(WebCore::ApplicationCacheStorage::fallbackCacheGroupForURL):
Assert that there is no URL fragment in URL at key points in appcache code.

WebFrame.cpp:
(WebFrame::printHeader): New shared method to print the header.
(WebFrame::printFooter): New shared method to print the footer.
(WebFrame::spoolPage): New conditionally-compiled method to print
a page.
(WebFrame::spoolPages): Revised to call the platform-specific spoolPage
for each page.

Plugins/WebNetscapePluginView.mm:
(-[WebNetscapePluginView setLayer:]):
Make sure to set the size of the layer before changing the autoresizing mask so it won't grow everytime it's inserted
into the layer tree.

Some shapers (i.e. Khmer) will produce cluster logs which report that
/no/ code points contributed to certain glyphs. Because of this, we
take any code point which contributed to the glyph in question, or any
subsequent glyph. If we run off the end, then we take the last code
point.

Similar to r26667 handle the case where didReceiveResponse on the
plugin view results in failure to set up the stream and
setMainDocumentError being called instead. This will set the
m_pluginView back to 0 and we need check for it before calling
didReceiveData.

This was triggered by consecutive execution of
LayoutTests/plugins/return-error-from-new-stream-callback-in-full-frame-plugin.html
followed by LayoutTests/scrollbars/scrollbar-crash-on-refresh.html

focus-in and focus-out events only get triggered when there's user
interaction, hence setFocused(bool) never gets called when
focusEvent is triggered when running the layout tests. The
solution seems to be to implement grab-focus too so we can call
setFocused(bool) when a widget has focus.

The test calls notifyDone() and then dumpAsText(). The latter call has no effect
as notifyDone() performs the dump, but it passes in the mac DRT because the mime-type
of the .html file is detected as text/plain and therefore the text is dumped instead
of the render tree.

Changed the testcase to call dumpAsText() first and then notifyDone(), to make it
pass without relying on the mime type detection.

That also makes the test pass in the Qt DRT.

fast/events/mouseout-dead-subframe.html: Swapped notifyDone() and dumpAsText() calls to
call the former before the latter.

There were a number of bugs introduced during the last upstreaming
effort that broke around 30 layout tests. This fixes those bugs.
It also has compile fixes to match the recent cutting apart of
V8Proxy.

workers/AbstractWorker.cpp: Added.
(WebCore::AbstractWorker::AbstractWorker):
Common base class for SharedWorker and (soon) Worker. The functions below were copied from Worker.cpp.
This is the first step in refactoring Worker to derive from AbstractWorker to enable code sharing.
(WebCore::AbstractWorker::~AbstractWorker):
(WebCore::AbstractWorker::addEventListener):
(WebCore::AbstractWorker::removeEventListener):
(WebCore::AbstractWorker::dispatchEvent):
(WebCore::AbstractWorker::dispatchLoadErrorEvent):
(WebCore::AbstractWorker::dispatchScriptErrorEvent):

Instead of just using the script's URL as to detect an XSS attack, we
now use a bit of context before the URL. In particular, we use the
bytes from the beginning of the attribute name to the end of the
attribute value. In virtually all injection attacks, the attacker
would need to supply the attribute name as well as the attribute value.
However, in the Facebook false positive, the attribute name is not
present in the URL.

page/XSSAuditor.cpp:
(WebCore::XSSAuditor::canSetBaseElementURL): Changed conditional to only call
XSSAuditor::findInRequest() if the host in the page URL disagrees with the host
in the base element URL.

xml/XMLHttpRequest.cpp:
(WebCore::XMLHttpRequest::loadRequestAsynchronously): Don't perform the XHR compensation when the XHR
is running on a worker thread. Accessing the global Cache data structures from a non-main thread is
not currently supported.

WebCoreSupport/WebFrameLoaderClient.mm:
(WebFrameLoaderClient::dispatchDidReceiveIcon): Commented out
the body of the method if ICONDATABASE is disabled.
(WebFrameLoaderClient::registerForIconNotification): Ditto.

directory, don't print help for commands that are only supported
on git working directories.

Scripts/bugzilla-tool:
(Command.init): Added requires_local_commits argument with a
default of False. Set self.requires_local_commits attribute.
(PostCommitsAsPatchesToBug.execute): Removed
SCM.supports_local_commits() check since this is now handled by
BugzillaTool.main().
(PostCommitsAsPatchesToBug.init): Added
requires_local_commits=True argument to Command.init().
(BugzillaTool.commands_usage): Don't print help for commands if
they require local commits and the current SCM doesn't support
them.
(BugzillaTool.main): If command_object requires local commits
and the current SCM doesn't, exit with an error message.

Flashing as hardware layers are created and destroyed in some content
<rdar://problem/7032246>

There's a window of time between the end of one runloop cycle, after CA layers changes
have been committed, and the window display at the start of the next cycle when
CA may push updates to the screen before AppKit has drawn the view contents. If
we know that we need to do drawing synchronization (which we do when content moves
between a layer and the view), then we need to call -disableScreenUpdatesUntilFlush
from the existing runloop observer that is set up when layers need repainting to
ensure that layer updates don't reach the screen before view-based painting does.

inspector/JavaScriptDebugServer.cpp:
(WebCore::JavaScriptDebugServer::detach): In the special case
where we detach from a window currently executing JavaScript,
manually tear down our representation of the JavaScript
call stack, since we won't get any more callbacks from JavaScriptCore
to automatically tear it down. It's too bad that WebCore is
responsible for this kind of tracking -- in the future, it would
be nice if more of the breakpoint handling was inside of JavaScriptCore.

With this test we ended up going over the maximum-connections-per-host limit that CFNetwork expected.
When that happened, the first request that was over the limit ended up in a bizarre state where it
wasn't fully serviced until after the long running XHR was complete.

Loader and Loader::Host work together to try to not exceed the max-connection limit but non-cache
resources - such as XHR - could still end up causing this limit to be exceeded.

This fix adds a workaround specifically for XHR while we hash out a more thorough solution that will
handle this at the resource handle level.

Use altered search path while loading plug-ins. This modifies the DLL search order
to look in the directory containing the plug-in even if a call to SetDllDirectory
was previously made. Use of SetDllDirectory removes the current directory from the search path,
breaking the previous strategy for locating any dependent DLLs of the plug-in.

Reviewed by Jon Honeycutt.

plugins/win/PluginPackageWin.cpp:
(WebCore::PluginPackage::load): Use LoadLibraryEx with LOAD_WITH_ALTERED_SEARCH_PATH

RenderLayerBacking's paintIntoLayer() method called updateLayerListsIfNeeded(),
which could potentially destroy that compositing layer, causing a crash.
Prevent this from happening by not doing a compositing update from paintIntoLayer().

The existing updateLayerListsIfNeeded() was renamed to updateCompositingAndLayerListsIfNeeded(),
and still does the compositing update. The new updateLayerListsIfNeeded() does not touch
compositing layers, and is still called from paintIntoLayer().

loader/FrameLoader.cpp:
(WebCore::FrameLoader::gotoAnchor): Moved the code to update layout,
find the renderer to scroll to, and scroll from here to methods on
FrameView, and replaced it with a call to
FrameView::maintainScrollPositionAtAnchor().
(WebCore::FrameLoader::completed): Call maintainScrollPositionAtAnchor()
instead of setLockedToAnchor().

page/FrameView.cpp:
(WebCore::FrameView::FrameView): Removed initialization of
m_lockedToAnchor.
(WebCore::FrameView::reset): Reset m_maintainScrollPositionAnchor instead
of m_lockedToAnchor.
(WebCore::FrameView::layout): Removed the code related to scrolling to
the anchor from here, because scrolling can trigger events which
invalidate the layout, and as such, belongs with the post-layout tasks.
(WebCore::FrameView::maintainScrollPositionAtAnchor): Added. When called
with a node scrolls the view to the top of that node and maintains it
scrolled to the top of the node during subsequent layouts, until
this function is called with 0 or other things trigger scrolling.
(WebCore::FrameView::scrollRectIntoViewRecursively): Reset
m_maintainScrollPositionAnchor.
(WebCore::FrameView::setScrollPosition): Ditto.
(WebCore::FrameView::scrollToAnchor): Added. Scrolls to the top of
m_maintainScrollPositionAnchor, if it is set.
(WebCore::FrameView::performPostLayoutTasks): Call scrollToAnchor().
(WebCore::FrameView::setWasScrolledByUser): Reset
m_maintainScrollPositionAnchor.

Fix crash when in frame tree of a new frame before the new frame
has been installed in the frame tree, similar to r35088.

After calling Frame::init() the frame it may have been removed from the
frame tree again through JavaScript. Detect this by checking the page()
afterwards.

To make this check safe the Frame::init() code was moved into
QWebFrameData's constructor, where a RefPtr holds a reference to the frame.
After the check back in FrameLoaderClientQt we would hold the single
reference left and after release() the frame, its frame loader, its
client as well as the QWebFrame should have disappeared then.

07/09/09:

added InlineBox::isLeaf()
firstLeafChild()/lastLeafChild() not virtual and not callable on InlineBox anymore.
firstLeafChild()/lastLeafChild() will no longer return a node outside of the given subtree.
Removed firstLeafChildAfterBox()/lastLeafChildBeforeBox()
Removed potentially quadratic behavior if all nodes before/after a given box are empty InlineFlowBoxes

Currently, these methods are called on RootInlineBox objects only, so above changes should not have
any observable effect (only the removal of the square performance behavior could apply,
but the conditions for that are probably of a rather theoretical nature).

Implement the part of HTML5 spec that deals with parsing of <rp> and <rt> tags
in that their end tags are optional if followed by <rp>/<rt>.

Also specify a new accessibility role "annotation" for <rp> and <rt>.

Affected code parts are not enclosed in #IF ENABLE(RUBY), since the parsing
is not affected by whether ruby is rendered properly or not (in fact, it may
be more profound without ruby layouting, since the contents of <rp> are not hidden).

plugins/PluginView.cpp:
(WebCore::PluginView::bindingInstance):
Protect the PluginView from destruction before calling NPN_GetValue. If
the renderer for the PluginView was destroyed during the call, and the
PluginView's ref count is now 1, return null.

WebView/WebHTMLView.mm:
(-[WebHTMLView _addToStyle:fontA:fontB:]): Fix code that detects whether the font would
survive a round trip by using the weight corresponding to "bold" or "normal" rather than
the actual weight number.

WebCoreSupport/WebFrameLoaderClient.cpp: (WebFrameLoaderClient::updateGlobalHistory):
Do not increase visit count if there is a redirect source. As a result, only pages that were
explicitly visited by the user (by typing a URL, choosing one from bookmarks, or clicking
a link) will be counted.

Interfaces/IWebHistoryItemPrivate.idl:

WebHistory.cpp:
(WebHistory::visitedURL):

WebHistory.h:

WebHistoryItem.cpp:
(WebHistoryItem::visitedWithTitle):

WebHistoryItem.h:
Marshal this new argument all the way down to WebCore.

loader/FrameLoader.cpp:
(WebCore::FrameLoader::loadSubframe):
(WebCore::FrameLoader::loadPlugin):
Make the widget variable a RefPtr. Use .get() when passing it to
RenderPart::setWidget().
(WebCore::FrameLoader::createJavaAppletWidget):
Make the widget variable a RefPtr.

rendering/RenderApplet.cpp:
Receive result in a RefPtr when calling createJavaAppletWidget().

rendering/RenderPart.cpp:
(WebCore::RenderPart::setWidget):
setWidget() now takes a PassRefPtr. Also removed the manual ref of
FrameViews. This is handled by having m_widget be a RefPtr. Removed
deleteWidget().

platform/graphics/GraphicsLayer.cpp:
(WebCore::GraphicsLayer::GraphicsLayer):
Add a m_contentsOrientation member and getter/setter to control whether
the contents of this layer have a transform applied to them before display.

platform/graphics/mac/GraphicsLayerCA.h:
New method to return the default contents orientation.

platform/graphics/mac/GraphicsLayerCA.mm:
(WebCore::flipTransform):
Convenience method to return a transform with a Y flip.

(WebCore::GraphicsLayerCA::GraphicsLayerCA):
(WebCore::GraphicsLayerCA::setSize):
After the size changes we have to update the contentsTransform.

(WebCore::GraphicsLayerCA::setGeometryOrientation):
(WebCore::GraphicsLayerCA::geometryOrientation):
If -setGeometryFlipped: is not available, use a children transform.

(WebCore::GraphicsLayerCA::swapFromOrToTiledLayer):
Tiled layers have issues with flipped contentsTransform, so just use
top-down drawing for them. Call updateContentsTransform() to set the
new contents transform after swapping layers.

(WebCore::GraphicsLayerCA::defaultContentsOrientation):
Use bottom-up when -geometryFlipped is not available, otherwise top-down.

(WebCore::GraphicsLayerCA::updateContentsTransform):
Set the layer contents transform based on contentsOrientation().

(WebCore::GraphicsLayerCA::setContentsLayer):
We have to manually flip contents layers if we're not using -geometryFlipped.

platform/graphics/mac/WebLayer.h:

platform/graphics/mac/WebLayer.mm:
Do early return if layerContents is nil. Flip the CTM if the layer has
bottom-up coordinates, so that CG sees a CTM with no flip.
Do the CGContextRestoreGState() after drawing the debug indicator.

(-[WebLayer setNeedsDisplayInRect:]):

platform/graphics/mac/WebTiledLayer.mm:
(-[WebTiledLayer setNeedsDisplayInRect:]):
Need to map the dirty rect through the contentsTransform.

history/HistoryItem.h:
Only increase visit count if explicitly told to. Now, some visits change last access time,
but do not increase visit count.

WebKit:

WebCoreSupport/WebFrameLoaderClient.mm: (WebFrameLoaderClient::updateGlobalHistory):
Do not increase visit count if there is a redirect source. As a result, only pages that were
explicitly visited by the user (by typing a URL, choosing one from bookmarks, or clicking
a link) will be counted.

Some shadow nodes "capture" all mouse events from mouseDown to mouseUp so they continue to
get mouse events even when the mouse is moved outside of the node. This is done by putting
EventHandler into a mode where it sends all mouse events to the node regardless of the
actual mouse position. The mode is set on mouseDown and cleared on mouseUp but if the
node is deleted while in this mode, the mouseUp is never sent and EventHandler continues
to try to send events to the deleted node. This sometimes results in a crash, and sometimes
in a page that doesn't respond to click events.